I have some servers that I have set up on an internal LAN which I have made accessible using the “Virtual Servers” table set up so that a request to an external IP address on ETH0 gets mapped to the server’s IP address on ETH1 for the services I want to make visible. That all works fine.
I also have a guest LAN that I do not want to give access to all my internal systems, so I have separated it out onto ETH2, and have set up an entry in the FORWARD table so that packets cannot route from ETH2->ETH1, but I want the guests to have Internet access so, ETH2->ETH0 is allowed.
The problem is I cannot access the published services from a client on ETH2. It cannot access the server directly using the internal IP address on ETH1 because that is explicitly blocked. But, I can’t access it on the external IP address either. I guess Linux applies the Virtual Server mapping to an address on ETH1 before routing the packet so by the time it does get routed it has turned back into the same internal IP address that is blocked by the FORWARD table entry.
There is probably either an obvious or clever way of getting around this. Any thoughts, other than creating a higher priority FORWARD table rule for each target server?